Safari 15 Error May Leak Browsing History – No Solution

Update (20-2022-01-19):

Apple is working on a fix

Changes to Webkit have surfaced to address a serious security flaw in Apple’s javascript api Indexed DB implementation on Github, Macrumors reports.

The fix is ​​in a function that lists the available databases and is only about listing databases whose origin (website) is the same as the website running the function. If example.com wants to list all available databases, it will only respond to databases created by example.com and not, say, google.com or netflix.com.

As Macrumors points out, Apple can’t just release an update for Webkit, but we’ll have to wait for iOS, Ipad OS, and Mac OS updates.

We can also add that Fingerprint JS, which detected the error, has confirmed that it does not affect older system versions like iOS 14.

Previously:

A bug has been detected in Safari 15 that can leak some activity in the browser, as well as make some personal information associated with your Google account visible to others, something that Fingerprint JS has noted. Among other things, visited sites can become visible to unauthorized people.

The problem is how Safari for Mac and iOS implements Indexed Database, an API that saves data in the browser.

Apple was supposed to have been aware of the problem since the end of November, but they haven’t done anything about it yet. This is despite the fact that it constitutes a serious lack of integrity.

leakage

When you go to a website that uses a local database in a new tab, a new empty database with the same name is created in all other tabs and windows (except private ones).

Most sites that use these databases give the database a name that indicates where it is located. The result is that all other open sites can in theory see the site you just opened. When you close the tab, these databases are deleted, but it is too late.

worse with google

Unfortunately, it doesn’t end there. Some websites also use unique names that can be associated with a specific user. Google is the biggest and worst example here. Google uses an internal user identifier as the database name, which means that the page that was programmed to exploit the Safari bug is detecting the internal identifier code for your Google account.

As if that wasn’t enough, a database is also created for every Google account you’re signed into. If you are logged in, for example, to a private account and a functional account, the spying site detects both of them and can save the connection between them.

Our recommendations

Until Apple fixes the error, we recommend that you don’t sign in to Google at all in Safari. The bug is easy to exploit and is guaranteed to be used by unscrupulous developers to create databases of unique Google IDs for users.

In fact, users who care about privacy can do their best to use only the new private windows for every page they visit, or for the time being use an alternative browser that takes privacy seriously, like Firefox or Brave.

here You can read more, and even have a test demo that shows how the leak occurred (without actually spying).